A vulnerability in the HTML_QuickForm package has been found which potentially allows remote code execution.
A new release of the package is available which fixes this issue. One is strongly encouraged to upgrade to it by using:
$ pear upgrade HTML_QuickForm-3.2.15
Thanks to Patrick Fingle and the CiviCRM Security Team who reported this issue.